Joint Press Release by MCI and PDPC


The Ministry of Communications and Information (MCI) and the Personal Data Protection Commission (PDPC) today launched an online public consultation on the proposed amendments to the Personal Data Protection Act (PDPA) and related amendments to the Spam Control Act (SCA). These proposed amendments aim to strengthen public trust, enhance business competitiveness, and provide greater organisational accountability and assurance to consumers, in support of Singapore’s Digital Economy.

2. This is the first comprehensive review since the enactment of the PDPA in 2012 to ensure that it continues to keep pace with technological advances, new business models and global developments in data protection legislation. The key proposed amendments include the introduction of a mandatory breach notification requirement, enhancement to the framework for the collection, use and disclosure of personal data, and the strengthening of PDPC’s enforcement powers. They also incorporate recommendations from the Public Sector Data Security Review Committee to ensure the accountability of third parties handling Government personal data and introduce offences for egregious mishandling of personal data.

3. MCI/PDPC held three public consultations1 on the key policy proposals between 2017 and 2019, and has taken into consideration the feedback received for the proposed amendments to the PDPA and the SCA. This public consultation seeks feedback on the draft Personal Data Protection (Amendment) Bill, which includes related amendments to the SCA.

4. PDPC’s Deputy Commissioner, Mr Yeong Zee Kin, said, “Our daily activities in an increasingly connected and competitive Digital Economy generate a large amount of data – including in recent weeks when many interactions have shifted online. Organisations that wish to thrive in this dynamic and evolving environment must move beyond traditional ‘check box’ compliance-based approach to adopt an accountability approach. To help organisations in their journey towards accountability, we have introduced a number of tools for organisations to adopt responsible data protection measures. The public’s trust in organisations’ management of their data is especially important when digital services such as e-commerce are becoming increasingly prevalent. The amendments which MCI/PDPC are introducing to the PDPA will support our organisations’ efforts as they transform and grow in the Digital Economy to better serve consumers.” 

Public Consultation

5. The key amendments that MCI/PDPC are inviting feedback on include: 

a) Accountability of organisations

  • Mandatory data breach notification requirement: Organisations will be required to notify PDPC of a data breach that results in, or is likely to result in, significant harm to the individuals to whom any personal data affected by a data breach relates to (“affected individuals”); or (ii) is of a significant scale. Organisations will also be required to notify the affected individuals if the data breach is likely to result in significant harm to them. 

b) Meaningful consent 

  • Expand deemed consent: To facilitate the use and processing of personal data for reasonable business purposes, the concept of ‘deemed consent’ will be expanded to cover circumstances where: i) the collection, use or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction; or ii) where individuals have been notified of the purpose of the intended collection, use or disclosure of personal data, given a reasonable opportunity to opt-out, and have not opted out.

  • New exceptions for legitimate interests and business improvement: To cater to situations where there are larger public or systemic benefits where obtaining individuals’ consent may not be appropriate, organisations will be able to collect, use or disclose personal data for legitimate interests.  MCI/PDPC will also make it clearer that organisations can use personal data properly collected for business improvement purposes.   

c) Consumer autonomy

  • Data portability: With the new Data Portability Obligation, individuals will be able to request for a copy of their personal data to be transmitted to another organisation. This will enable consumers to switch to new service providers more easily. It will also support the development of new and innovative services/applications as organisations can have more access to data. 
  • Expanded protection from unsolicited messages: Sending of unsolicited messages to telephone numbers through the use of dictionary attacks and address harvesting software will be prohibited under the PDPA’s Do Not Call Provisions. The SCA will also be amended to cover commercial text messages sent to Instant Messaging accounts and in bulk.

d) Effectiveness of PDPC’s enforcement

  • Enhanced enforcement powers: To serve as a stronger deterrent, financial penalties for organisations that breach the PDPA will be increased to up to 10% of their annual turnover or S$1 million, whichever is higher2

6. The public consultation document and procedures for submission of feedback are available on MCI’s website from 14 May 2020. All submissions shall reach MCI/PDPC no later than 28 May 2020, 5pm.

Annex A: Public Consultation Document
Annex B: Personal Data Protection (Amendment) Bill 2020

1  Three public consultations on MCI/PDPC’s key proposals for the review of the PDPA and SCA were conducted between 2017 and 2019. In these public consultations, MCI/PDPC proposed to introduce, amongst others, (i) deemed consent by notification; (ii) ‘legitimate interests’ exception to consent for collecting, using and disclosing personal data; (iii) mandatory data breach notification; (iv) Data Portability Obligation; and (v) an exception to consent for the use of personal data for ‘business improvement’ purposes. The review also considered the SCA, which was enacted in 2007 to combat spam, with the view to ensuring a technology-neutral approach towards regulating unsolicited commercial electronic (i.e. email and text) messages sent in bulk. 
2  Companies are currently liable for financial penalties of up to S$1 million. 

Speech by Mr Tan Kiat How, Senior Minister of State, Ministry of Communications and Information at the “Overcoming the Financial Sector’s AIDA Talent Shortage: Roadmap for 2023 and Beyond” event on 22 May 2023 Speeches Digital Defence, Cyber Security, Digital Readiness 22 May 23
Speech by Mrs Josephine Teo, Minister for Communications and Information, at the launch of "Stewardship of the Singapore Media Staying on Course" on 16 May 2023 Speeches Others, Infocomm Media 16 May 23
MCI Response to PQ on Steps to Protect Consumers and Businesses from Losses due to Disruption of Digital Services by Service Providers Parliament QAs Digital Readiness, Digital Defence 09 May 23
MCI Response to PQ on Ensuring Development and Maintenance of Ethical Artificial Intelligence Standards Parliament QAs Cyber Security, Digital Readiness 09 May 23
MCI Response to PQ on Regulatory Framework for Artificial Intelligence Governance in Singapore Parliament QAs Cyber Security, Government Technology 21 Apr 23
Transcript of Welcome Remarks by Mrs Josephine Teo, Minister for Communications and Information, at SingPost’s Buka Puasa on 13 Apr 2023 Speeches Others 13 Apr 23